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Abstract. In this paper, we show a general way to interpret the infrastruc- 
ture of a global field of arbitrary unit rank. This interpretation generalizes the 
prior concepts of the giant step operation and /-representations, and makes it 
possible to relate the infrastructure to the ( Arakelov) divisor class group of the 
global field. In the case of global function fields, we present results that estab- 
lish that effective implementation of the presented methods is indeed possible, 
and we show how Shanks' baby-step giant-step method can be generalized to 
this situation. 

1. Introduction 

The infrastructure of a global field, i.e. of a number field or a function field over 
a finite field, is a group-like algebraic structure. It is a crucial ingredient in the 
computation of the regulator, a system of fundamental units, and the order and 
structure of the ideal class group. In the case of a one-dimensional infrastructure, 
which occurs in in fields of unit rank one, this group-like structure was first used by 
D. Shanks to compute the regulator of a real quadratic number field via a baby-step 
giant-step algorithm. 

In this paper, we present a framework of infrastructure that unifies number 
fields and function fields. The crucial tool to accomplish this are /-representations; 
these represent a group well suited for computations into which the infrastructure 
embeds. Using /-representations, we obtain giant steps, which are an important 
tool in algorithms of baby-step giant-step type. We establish that /-representations 
require little storage and lend themselves very well to computation. They can be 
efficiently used for determining a system of fundamental units of a global function 
field. We provide evidence for this by presenting preliminary implementation results 
as well as non-trivial numerical examples. 

The idea behind /-representations was described in |Fon08j in the one-dimen- 
sional case, i.e. for infrastructures obtained from global fields of unit rank one. The 
concept of /-representations goes back to (/^-representations, which were intro- 
duced in the context of cryptography in real quadratic number fields by D. Hiihn- 
lein and S. Paulus [HPOlj and M. J. Jacobson Jr., R. Scheidler and H. C. Williams 
[JSWOlj . 
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Infrastructures of number fields and, more recently, of function fields have been 
studied for some time. Their investigation has its roots in C. F. Gaufi' study of 
the composition of binary quadratic forms, as well as J.-L. Lagrange's continued 
fraction algorithm. The infrastructure first appeared explicitly in the context of 
generalizing continued fraction expansion. In his PhD dissertation, G. Voronoi 
found a generalization of continued fraction expansion by minima of lattices and 
formulated an algorithm to find a system of fundamental units of a cubic number 
field [DF64] . 

The set of minima of a global field was studied, for example in Bcr63, HP87 , and 
was used for computing fundamental units in number fields, for example in [PZ771 
ISte77j IAQ82) IPZ82| IPWZ82] . J. A. Buchmann generalized Voronof's algorithm 
to number fields of unit rank one and two |Buc85j . Subsequently, he presented a 
generalization of Lagrange's algorithm for computing fundamental units in arbitrary 
number fields in 0(R ■ |A| e ) binary operations; here e > arbitrary, R is the 
regulator and A the discriminant of the number field |Buc87a] , Note that R = 
C(|A| 1/2+£ ) for any e > 0. 

In 1972, D. Shanks Sha72 discovered that the principal infrastructure of a real 
quadratic number field supports a group-like structure. With every element of 
the principal infrastructure is associated a distance which imposes an ordering on 
this set. The infrastructure supports two operations: a baby step, which proceeds 
cyclically from one element to the next in this ordering, and a giant step, which is 
akin to multiplication in a cyclic group and under which distances behave almost 
additively. As a result, the principal infrastructure is almost an abelian group un- 
der giant steps that only slightly fails associativity. Using this group-like behavior, 
Shanks was able to compute the regulator and therefore the absolute value of a fun- 
damental unit of a real quadratic number field in 0(y/R) steps instead of the O(R) 
steps required by the classical algorithm of Lagrange. Note that writing down a 
system of fundamental units requires O(R) binary operations, whence no algorithm 
can compute a system of fundamental units in time faster than O(R). However, 
the logarithm of an absolute value of a fundamental unit can be computed faster. 
Shanks' method was further analyzed and refined by H. W. Lenstra, R. Schoof, 
H. C. Williams and M. C. Wunderlich in |Len82l ISchgl IW1185L IWW87) . and fi- 
nally generalized to all number fields of unit rank one by Buchmann and Williams 
[BW88] . 

Shanks' method was first extended to function fields in works of A. Stein and 
H. G. Zimmer [Ste9 2l EM] , Stein and Williams [SW98I ETW99] and Scheidler and 
Stein |SS98[ ISchOlj . The relationship between the infrastructure in real elliptic 
and hyperelliptic function fields and the divisor class group in their imaginary 
counterparts was investigated by Stein in [Ste97 , and by S. Paulus and H.-G. Ruck 
in [PR99) . 

Shanks' discovery of the infrastructure also led to a number of cryptographic 
applications. The first of these was a Diffic-Hcllman-like key exchange protocol 
described by Buchmann and Williams, and later by Scheidler, Buchmann and 
Williams in [BW90, SBW94]. This was extended in several ways, and additional 
encryption and signature schemes were proposed; some of these are described in 
[BBT94I ISSW96I I.TSW06I I.TSS07j . The security of these systems is argued to be 
based on the hardness of computing distances or computing the regulator; the hard- 
ness of these problems is analyzed, for example, in [MST99, Jac99 ( MauOO, Vol03 . 
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All efficient algorithms and cryptosystems based on the infrastructure crucially 
require the giant step operation. This raises the question of whether a giant step 
can be defined and used efficiently in all global fields, not just of unit rank one. 
In the number field case, Buchmann showed in his habilitation thesis |Buc87b] 
that there is in fact such a giant step, and that this giant step can be used to 
compute the absolute values of fundamental units in 0(y/R- 1 A| e ) binary operations. 
Unfortunately, this algorithm was only published in Buchmann's thesis, which was 
written in German and is not easily accessible. Later, Schoof presented a modern 
treatment of the general number field case using Arakelov divisor theory [3ch08 . 
This is so far the most general treatment of infrastructure. It includes the concept of 
a giant step, even though Schoof does not give a baby-step giant-step algorithm like 
Buchmann's. Both Buchmann's and Schoof 's giant steps rely on a simple reduction 
strategy: the infrastructure is in both cases a subset of the set of fractional ideals, 
whose elements are called "reduced ideals" , and the giant step roughly corresponds 
to multiplying two such ideals. The result is in general not inside this set, but after 
finding a "short" element in the product and dividing by it, the resulting ideal will 
lie in this set. This process of chosing the short element is called reduction. 

In this paper, we present for the first time a unified treatment of number fields 
and function fields and define infrastructure for any unit rank. Moreover, we provide 
a connection between the infrastructure and the (Arakelov) divisor class group and 
relate the arithmetic in these two objects. The key point is a more sophisticated 
reduction strategy, mimicking the reduction described by F. He8 for arithmetic in 
the divisor class groups of global function fields He602]. For that, we have to use 
a slightly different embedding of the reduced ideals into the Arakelov divisor class 
group than the one used by Schoof. We also do not use the oriented Arakelov divisor 
class group, but instead an equivalence relation on reduced ideals in case when 
there is no real embedding of the number field. This allows us to unify arithmetic 
in the (Arakelov) divisor class group of both number fields and function fields. 
Moreover, in contrast to Schoof's work, we "parameterize" the Arakelov divisor 
class group using equivalence classes of reduced divisors together with a finite set 
of real numbers, and can describe explicit arithmetic using this representation. 
This parameterization generalizes the aforementioned result by Paulus and Ruck 
PR99 on hyperelliptic function fields, and, since it extends Hefi' approach, it also 
generalizes known arithmetic in imaginary hyperelliptic and superelliptic function 
fields [CFA+06IIGPS02] . 

This paper is organized as follows. We begin by giving an overview of the arith- 
metic in number fields and function fields in Section [2] Then we will provide an 
abstract treatment of one-dimensional infrastructures, based on |Fon08j . in Sec- 
tion [3l We discuss how an abstract n-dimensional infrastructure can be defined 
in Section We go on to describe reduced ideals in Section [5] In Section [51 we 
show how to obtain an infrastructure in any global field satisfying the definition 
given in Section [4] We explore the relationship between the infrastructure and the 
divisor class group in Section [3 In Section [8l we show that /-representations can 
be used to effectively perform computation of fundamental units in function fields. 
Finally, we provide concluding remarks and pose some pertinent open questions in 
Section EH 
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2. Arithmetic in Function Fields and Number Fields 

Let if be a global field, i.e., either a function field over a finite field of constants fc, 
or an algebraic number field. In the latter case, denote by k* the roots of unity of 
if and set k := k* U {0}. 

If if is an algebraic function field, we assume that k is the exact field of constants 
of if. Let x <E if be transcendental over Let Ok denote the integral closure of 
k[x] in if and S the set of places of K/k which do not correspond to prime ideals 
of Ok, i.e. the places of if lying over the infinite place of k(x). Note that for any 
non-empty finite choice of S, one can find such an x so that S is the set of places 
lying over the infinite place of k(x). We assume that x and S are fixed throughout 
this paper. In the number field case, let Ok denote the integral closure of Z in if 
and S the set of all archimedean places of if . In both cases, we denote by Vk the 
set of all places of if. If p € Vk is a non-archimedean place, let v v be its normalized 
discrete valuation, Op its valuation ring and m p its valuation ideal. All places in S 
are called infinite, and all others finite. All finite places are non-archimedean. 

In the function field case, the group of divisors Div(if ) is the free abelian group 
generated by Vk- For a divisor D = J2pev K n pP' the degree is defined as deg-D := 
^2pCP K n p degp. The divisors of degree zero form a subgroup of Div(if), denoted 
by Div (if). For an element / £ if* , the principal divisor of / is defined by (/) := 
J2pev K v v (^)P e (^) ' * ne set 01 au sucn divisors forms the group Princ(if ) , and 
the quotient group Pic (if) := Div°(if )/ Princ(if ) is called the (de grcc zero) divisor 
class group of if. Moreover, we have the quotient Pic(if) := Div(if )/ Princ(if ) 

together with the exact sequence >■ Pic (if ) >■ Pic(if) 6S > Z ■ Note 

that the last map (after restricting the codomain to the image) splits across this 
exact sequence, whence we have Pic(if) S Pic (if) x Z. 

In the number field case, the group of divisors Div(if) is the direct product of 
the free abelian group generated by all places outside S and the abelian group M. s 
of all tuples (n p ) pe s of real numbers with pointwise addition. We write elements 
(n p ) p6 s G R s additively as X!pes n pP- F° r p € S, let a : K — > C be a corresponding 
embedding; define degp := I if er(if) C M and degp := 2 elsewhere. Also define 
v p{f) '■— — log |tr(y ) I f° r an Y / S if*. If p is a finite place, i.e. p ^ S, define 
degp := log |O p /m p |. Here, log denotes the natural logarithm. The definition of 
the degree of a divisor and of a principal divisor is analogous to the function field 
case, as is the definition of Pic (if ) and Pic(if ), and we get Pic(if ) = Pic (if ) x R 
in the same way as above. 

If D — X^pgPa- "pP ^ s a divisor, the places p € Vk with n p ^ form the support 
of D. If if is a global function field, let q = \k\ < oo. For non-global function fields, 
let q > 1 be arbitrary. For number fields, let q — e — cxp(f). Then define the 
absolute value with respect to a place p € Vk by |/| := q~ v * W deg p for / e if* 
and |0L := 0. The fact that principal divisors have degree zero translates to the 
product formula npeP K l/lp = 1 for / G if*. 

In both number fields and function fields, a finitely generated Oi<--submodule of 
if is called a fractional ideal. Throughout this paper, we will often say "ideal" when 
we mean "non-zero fractional ideal". The set of non-zero fractional ideals Id(Ox) 
forms a free abelian group under multiplication, with the set of non-zero prime 



Note that we do not assume that K/k(x) is separable. 
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ideals of Ok as a basis. These prime ideals correspond to the places of A outside 
5: if p is such a place, m p n Ok is the corresponding prime ideal of Ok- More- 
over, we have a natural homomorphism Div(A) — > Id(Ox) defined by ^ n p p H > 
Ilp^s( m P n CkO - ™*- This homomorphism extends to a map Pic (if) — > Pic(Ok), 
where Y\c(Ok) '■= ld(0^)/ Princ(C^-) is the ideal class group of Ok, i.e. the quo- 
tient of Id(0K ) with the subgroup Princ(0/<- ) = {jOk \ f G AT*} of non-zero 
principal fractional ideals. 

Note that forming principal divisors or principal ideals give homomorphisms 
A* -> Princ(A) C Div°(A), / (/) and A* -> Princ(Gx) C Id(C^), / i-> 

Finally, denote by Div ^ (if) the set of divisors in Div° (A) that are only supported 
at places in 5. All the aforementioned maps give rise to the following commuting 
diagram with exact rows and columns: 



1 I | 

>* 0* K /k* Div^(A) ^ T >* 

III 

>■ K*/k* >■ Div°(A) » Pic°(A) ^ 

III 

>- K*/0* K ^ ld(0 K ) >■ Pic(0 K ) >■ 

I I s I 
H ^H' 

I I 



Here, T, H and H' are suitable groups that are discussed in more detail below. 

If A is a number field, Div^(A) = Rl s l _1 , the image of 0* K /k* is a lattice of full 
rank in Rl 5 l _1 and hence T is an (|5| — l)-dimensional torus. Moreover, H = and 
H' = 0. If A is a function field, then Div^(A) ^ Z^l" 1 . If k is finite, then T is 
finite by an analogue of Dirichlet's Unit Theorem Ros02, p. 243, Proposition 14.2]. 
In case k is infinite, T can be finite or infinite, and both possibilities occur; see 
[HP871 Section 4] for examples with k = Q. We have H = = H' if and only if 
(degp | p G 5) = (degp | p G V K ), as H = (dcgp | p e V K )/(degp | p € 5). Here, 
(degp | p G 5) is the ideal in Z generated by {degp | p G 5}; (degp | p G 5) is 
defined analogously. 

For both number fields and function fields, the rank of 0* K /k* is called the unit 
rank of A. In case A is a number field or T is finite, the rank equals |5| — 1. Note 
that we assumed x to be fixed in the function field case. If the unit rank equals 
n = 151 — 1, let pi,...,p„ G 5 be n distinct places, and si, . ..,e n a system of 
fundamental units of Ok, i.e. a set of units whose residue classes in 0* K /k* are a 
basis of 0* K /k* . Define 



R := 



dct^ Pi (e-,)degpi^ 



G M>o; 



this number is the regulator of A (after fixing a; in the function field case) and is 
independent of the choice of the pi and of the choice of the Ej. 
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3. One-Dimensional Infrastructures 

A one-dimensional infrastructure can be interpreted as a circle with a finite set 
of points on it. This interpretation goes back to Lenstra's work in |Len82| . See also 
[Fon08j for an earlier treatment of (abstract) one-dimensional infrastructures. 

Definition 3.1. A one-dimensional infrastructure (X,d) of circumference R > 
is a finite set A ^ together with an injective map d : X — >• M./RZ. 

This can be visualized as follows; see also Figure QJa). One can interpret M./RZ 
as a circle of circumference R, with a fixed point 6 M./RZ. Then d(X) is a finite 
set of points on this circle, and for every x € X, the residue class d(x) can be 
interpreted as the distance of the point d(x) on the circle to 0. 

The infrastructure essentially offers two operations: 

• baby steps: given x € X, the baby step bs(x) denotes the preimage of the 
element in d(X) on the circle "following" d(x); 

• giant steps: given x, y £ X, the giant step gs(x, y) denotes the preimage of 
the element in d(X) on the circle "before" d{x) + d(y). 

We want to make this more precise. If \X\ = 1, there is only one way to define 
bs : X -> X andgs :IxI->I by bs(x) = x, gs(x,x) = x if X = {x}. If \X\ > 1, 
then we can define these two maps as follows. 

For s = a + RZ and t = b + R7L with a < 6 < a + i?, we denote by [s, t] the 
set {x + RZ | a < x < 6}. If we interpret R/i?Z as a circle, [s,t] will be the circle 
segment starting at s and ending at t in positive direction. See also Figure [TJb) . 

Then for x € A, we can define bs(x) as the unique element of A \ {x} satisfying 

{d(x),d(bs(x))} = d{X)D[d(x),d(bs(x))}, 

i.e. the only two points in d{X) lying on the circle segment [c?(x), <i(bs(x))] are d{x) 
and d(bs(x)); see Figure QJc). For x, y G A, we can define gs(x,j/) as the unique 
element of A satisfying 

{d(gs(x, y))} = d(X) n [d(gs(x, y)), rf(x) + 

i.e. the only point in d(X) lying on the circle segment [d(gs(x, y)), d[x) + d(y)] is 
d (gs(x,y)); see Figure [T^d) . 

The simplest example of one-dimensional infrastructures, which is nevertheless 
important, is given by finite cyclic groups: 

Example 3.2. Let G — (g) be a finite cyclic group of order R. Then we have a 
canonical isomorphism (p : Z/RZ — > G, n t-¥ g n . Concatenating its inverse with 
the inclusion Z/RZ C M./RZ, we obtain an injective map d : G —> M./RZ, making 




(a) (b) (c) (d) 



Figure 1 . Illustrating a one-dimensional infrastructure using a circle 
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(G, d) a one-dimensional infrastructure. This map is the discrete logarithm map 
with base g, i.e. it satisfies g d ^ = h for every h g G. 

Let h € G and <2(/i) = n + EL. Then for /i' = g n ' with n < n' < n + R, we 
have [d(h), d(h')\ n = {%"), ■ • • , d{g n '- 1 ),d{g n ')}. This shows that 

if this set contains exactly two elements, then n' = n + 1. But this translates to 
bs(/i) = g/i, so baby steps on G are simply multiplication by the generator g of G. 

Similarly, if h = g n and ti = g n ' , we see that d(X) n [d(g m ),d(/i) + tf(ft')] = 
{d(g m ),d(g m+1 ), . . ., d( 5 n+n '~ 1 ), %"+"')} if m < n + ri < m + R. This shows 
that gs(h, h') — g™+" = hh', so giant steps on G amount to group multiplication. 

In this paper, we will concentrate on giant steps as they are needed to obtain 
algorithms of square root type, which compute the absolute values of a system of 
fundamental units in 0(\^R) infrastructure operations, where R is the regulator of 
the field. 

The giant step is a binary operation on the finite set X which is not necessarily 
associative. For certain applications, such as using the infrastructure in cryptog- 
raphy, one is interested in having associative operations: the Diffie-Hellman key 
exchange protocol depends on the fact that {x a ) b = {x b ) a for all a,b £ N. More 
precisely, it is not obvious how to define x a without having an associative operation. 

In the infrastructure case, one could define x a as an element y £ X such that 
a ■ d(x) « d(y). But then it is not necessarily true that (x a ) b is equal to (x b ) a . One 
only knows that d((x a ) b ) ~ a ■ b ■ d(x) w d((x b ) a ), but the error here can be up to 
a or b times larger than in a ■ d(x) ~ d(y). In Example 13.21 above, where we start 
with a finite cyclic group G, this error is always since G is of course associative, 
and we recover the original Diffie-Hellman key exchange protocol, whose security 
is based on the fact that computing the map d : G —> R/i?Z is hard for random 
elements of G. 

Note that while the giant step operation is in general not associative, it is almost 
associative: it is so up to a "small error", which can be bounded by d max := 
max{d(bs(x)) — d(x) \ x £ X}, where we identify d(bs(x)) — d(x) with the smallest 
non-negative real number lying in the residue class modulo R. Namely, we have 

d(gs(x, y)) = d(x) + d(y) - e x . y with < e x<v < d max . 

In terms of Figure [1] d max is the maximal distance between two adjacent points on 
the circle. In Example 13.21 above, we have d max = 1, even though the error e X:V will 
always be zero. 

One can ask whether this gap towards an associative operation can be closed. 
One solution is to embed infrastructures into groups. Obviously, M./EZ is a group 
under addition. Unfortunately, as seen in Example 13.21 the embedding d is in 
general not very helpful, since it is often hard to evaluate; in the example, evaluating 
it is equivalent to compute a discrete log arithm, wh ich, depending on the group G, 
can be a hard problem; see for example CFA + 06] , We want a group suitable for 



effective computations, into which X embeds by an easily computable embedding. 
In order to achieve that, we require /-representations: 

Definition 3.3. An element (x, t) e XxRis called an f -representation if < t < R 
and 

{d(x)} = [d(x),d(x) + 1] n d(X). 
Denote the set of all /-representations by Rep' (X, d) . 
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Figure 2. Illustrating /-representations in a one-dimensional infrastructure 



The /-representation (x,t) represents the element s := d(x) + 1 € M./RZ. The 
condition on t implies that t is minimal for such a representation: it is the smallest 
distance from the point s — d(x) +t on the circle backwards to a point in d(X) 
(namely d{x)). In other words, t is small enough that no image under d of any 
element in X \ {x} lies in the circle segment \d(x),d(x) + t\. The simplest /- 
representations are the one of the form (x, 0), where x € X; this shows that we can 
embed X into Rep? (X, d) by x (x, 0). 

In Example l3.2[ we have Rep-^ (G, d) = Gx [0, 1). Moreover, the /-representations 
of various elements of the example in Figure [T] are shown in Figure [5] 

We obtain the following result which shows that the set of /-representations can 
be identified with the group (R/RZ, +). 

Proposition 3.4. The map 

d : Rep f {X, d) -> R/RZ, (x, t) i-» d(x) + 1 
is a bijection. □ 

This allows us to pull the group operation of R/RZ back to the set Rep? (X, d), 
giving an operation + on Repf(X,d) by (x,t) + (x',t') := d^ 1 (d(x,t) + d(x',t')). 
The following remark describes an algorithm which computes the group operation 
on Rep^(X, d) using baby and giant steps. 

Remark 3.5. For (x, t), (x' , t') £ Repf(X,d), consider 

(x", t") := (gs(x, x'), t + t'+ (d(x) + d(x') - d(gs(x, x')))) e X x M; 

this ensures that d{x") + t" = d(x,t) + d(x',t'). In general, (x",t") <£ Rep f (X,d), 
but t" > is not too big; more precisely, t" < 3d max . The idea of the algorithm for 
realizing the group operation on Repf (X, d) is to decrease t" using baby steps, while 
preserving the invariant d(x") + t" = d(x, t) + d(x' , t'), until (x",t") € Rep? (X, d). 

For that, note that for t" > 0, we have (x",t") € Repf(X, d) if and only if 
t" < d(bs(x")) — d(x"), i.e. if t" is smaller than the distance from x to bs(ir). 
Hence, we iteratively replace (x",t") by (bs(x"),t" — (d(bs(x")) — d(x"))) as long 
as t" > is satisfied. 

The smallest non-negative *" yields {x",t") e Rep? (X,d) with d(x",t") = 
d(x,t)+d(x' ,t'), and therefore {x" ,t") is the sum of (x,t) and (x',t') in Repf(X,d). 

Finally, if we define <i m i n := mm{d(bs(x)) — d(x) \ x E X}, we see that this 
process requires at most 3 ^ max baby step computations and one giant step compu- 
tation. 

The algorithm first uses giant steps to compute a pair (x",t") G X x R with 
d{x") + t" = d(x,t) +d(x',t'), where t" is "small", and then "reduces" (x",t") 
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to an element of Rep^ (X, d) . To make this more precise, we need to introduce a 
reduction map red(x,d) : K/iJZ — > X. For a point s on the circle R/i?Z, we want 
red(x,d) (s) to be the preimage of the element in d(X) "before" s. More precisely, 
we want red(x,d) (s) to be the unique element in X such that 

{<Z(red (x , rf) (s))} = d(X)n [d(red (x>d) (s)),s], 

i.e. d(red(x,d)(s)) is the only point in d(X) lying on the circle segment [d(red^x,d) (s)), 
s]. Hence, red(x,d) assigns to each s G M./RZ some a; € X such that s, and 

satisfies red^d)^^)) = a?- The algorithm in Remark [331 computes red(d(x") +<") 
for t" > 0; one can easily adjust it to work for t" < as well. 

If one compares the definition of red(x,d) to Figure [2j one quickly sees that if 
(x, t) <E Repf(X, d) represents s, i.e. if d{x) +t = s, then red(x,d)(s) = x. Hence, if 
7r:IxK^l denotes the projection onto the first component, we see that 

red(x,d)(s) = 7ri(d _1 (s)). 

In the context of Example 13.21 where we obtained a one-dimensional infrastruc- 
ture (G, d) from a finite cyclic group G = (g), we see that red(s + RL) = pl^J for 
s G R. This directly follows from the fact that Rep 7 (G,d) = G x [0, 1). 

Moreover, one can see that the reduction map red(x,d) can be used to define 
Rep^(X, d) and giant steps, as 

Rep ; (X, d) = {(as, t) e X x K | red (x,d)(d(x) +t) — x} 

and gs(x, y) = red ( x,d) (d(a;) + d(y)) for all x,y eX. 

It is obvious that our choice of red(x,d) is not the only one possible. One could 
choose red(x.d) snch that d(red( X .d){ s )) is closest to s, with a rule to break ties; 
such a reduction map is for example used in [GHM08 in the case of infrastructures 
obtained from real quadratic function fields. The advantage of such a reduction map 
is that it reduces the number of baby steps in Remark 13.51 to at most ^ max . Using 
a different reduction map would result in different /-representations and possibly 
also different giant steps. We will investigate this relationship between reduction 
maps and /-representations in more detail in the next section. 

An interesting question is where and how infrastructures occur in practice. The 
first known non-associative instance was the infrastructure of a real quadratic num- 
ber field, which was discovered in 1972 by Shanks. It was originally described in 
terms of binary quadratic forms, but an alternative and more accessible description 
uses ideals; see, for example, |Wil85j . We will use the language of ideals since it 
is available in all number fields and function fields. See Section [5] on how the in- 
frastructure can be realized in detail; for the moment, we want to give a simpler 
example: the infrastructure of a real quadratic number field. 

Example 3.6 (compare [Wil85] ). Let K — Q(y/D) be a real quadratic number 
field, where D > 1 is a squarefree integer. Note that there are two embeddings 
K — >• R, one is the identity, and the other one maps \JD to —\f~D. Denote the 
first embedding by a\ and the second one by o~2) then we have S = {pi,p2} with 
\h\ 9i = \(x i {h)\fach&K. 

We say that a fractional ideal a € ld(0#-) is reduced if 1 £ a, and for every 
/i e a satisfying \fi\ 1 < 1 and \fi\ 2 < 1 we have [i 6 { — 1,0, 1}. Using the Minkowski 
embedding $ : K — > K <g)Q R = R 2 , given by h i-> (ai(h), ct 2 (M)j we can visualize 
a as a lattice <!>(a) of rank two in R 2 . The condition that o is reduced is equivalent 
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-1 - 2\/2* 



-1 - 



-2 - V2* 



.2 + ^2 



,1 + V2 



,V2 



,1 + 2^2 



Figure 3. The Minkowski embedding (ffi,^) of Ok in the real 
quadratic number field K = Q(a/2). The grey square is [—1, l] 2 . 



to the property that the square [—1, l] 2 contains exactly the three points (—1, — 1), 
(0, 0) and (1, 1) of $(a). The unit ideal Ok is always reduced. See Figure[3]for an 
example. 

Let e G Ok be the fundamental unit with e > 1. We have 0* K = {±e n | n e Z}. 
Set R := loge; then R is the regulator of K. If a — —Ok is a reduced fractional 
ideal, the elements in \xO* K are exactly the elements // such that a = ^rOif, whence 
{-log|ji/| | a= jrO K } = - \og\n\+RL. Define d(±0 K ) ■= — logjyuj +RZ; then d 
is a map from the set X of reduced principal ideals to R/i?Z. One can show that 
X is finite and that d is injectiveH Then (X, d) is a one-dimensional infrastructure: 
in fact, this is the infrastructure used by Shanks in Sha72 , translated into the 
language of ideals. 

Computation of baby steps and giant steps is done by continued fraction expan- 
sion. Let o be a principal fractional ideal with aflQ — Z; any reduced ideal satisfies 
this. We can then write a = Z©0Z with (f> = (P+\D)/Q, and compute the contin- 
ued fraction expansion of <fi = 0o- If 4>i is the i-th complete quotient, we can write 
4>i — (Pi + \^D)/Qi with Pi, Qi € Z, and it turns out that := ZQ^Z is a principal 
fractional ideal. There exists some iq £ N, depending on a, such that for all i > io, 
cii is reduced. In fact, {a^ | i > io} is the set of all reduced principal ideals X. If a; 
is reduced, bs(cii) = 0,+i. Moreover, if one defines red(a) = a n if n > is chosen 
minimal under the condition that a„ is reduced, then gs(a;,aj) = red^a^) is the 
giant step operation used by Shanks in [Sha72] . 

One can use this to define a reduction map on a dense subset of R./RZ. For 
that, note that the map * : Pld(K) -> R/RZ, \O k i-» - log |/x| + R% is injective 
as argued in Footnote HJ The set ^(Pld(K)) is a dense subgroup of R/i?Z, and if 
s € M/RZ lies in the image of Vf, one can define red(s) := red(4' _1 (s)). This was 
in fact done by Lenstra in |Len82j . and Lenstra called the image of 'I' a "circular 
group" since it is a dense subset of the circle M./RZ. (Note that Lenstra uses a 
distance map that is different from the one introduced by Shanks.) 



2 This is a special case of Proposition 15. 51 with X = RediOx) and d = dP K , when we identify 
an equivalence class [a]~ with a, since by Corollary 15.31 every class contains exactly one ideal. 
In this special case, at least the injectivity of d is rather obvious, since h i— > log \ h\ is a group 
homomorphism (K*, ■) — > (R, +) with kernel {—1, 1} = k* C 0* K . 
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4. n-DlMENSIONAL INFRASTRUCTURES 

In this section, we want to define an abstract n-dimensional infrastructure. We 
want this definition to share most properties of one-dimensional infrastructures. 
Unfortunately, it is not as clear as in the one-dimensional case how baby steps, 
giant steps and /-representations can be defined. We will see that as outlined in 
the discussion of the one-dimensional case in the previous section, /-representations 
and reduction maps are equivalent, and both yield giant steps. As a consequence of 
the additional freedom gained in the n-dimensional case, we are forced to include 
more information on the infrastructure in the definition, namely a reduction map. 

Note that we will ignore baby steps for the rest of this paper. For n-dimensional 
infrastructures obtained from global fields one can define n + 1 baby step functions, 
see for example }Buc85| . [LSY03] or |Fon09[ Section 3.5]. These definitions come 
from the relation of the infrastructure to the set of minima of an ideal, but there 
is no reason an abstract n-dimensional infrastructure arises from such a structure. 
Moreover, such baby steps do not always behave as expected, as it might happen 
that certain minima cannot be reached by baby steps. So far, it is unknown whether 
there is a usable definition of baby steps for abstract n-dimensional infrastructures 
when n > 1. 

We want to make the definition on an n-dimensional infrastructure slightly more 
general by allowing to restrict to a suitable subgroup G of R. For example, for 
infrastructures obtained from function fields, the natural subgroup to restrict to is 
Z, since all valuations of a function field are discrete. In case of Example 13. 6[ one 
could restrict to the subgroup {log \fi\ \ fi € K*}; then the function red from the 
example will no longer be partially defined, and one essentially obtains the group 
(though not the distance function) of Lenstra |Len82j . 

Throughout this section, fix a suitable non-zero subgroup G of R. The similarity 
to Section [3] is clearer if one assumes G = R. In the following sections, we will 
restrict to G = Z in the function field case and G = R in the number field case. 

The natural analogue to a circle R/i?Z in n dimensions is an n-dimensional 
torus R"/A, where A is a lattice of full rank. Since we want to restrict to G, we 
assume that A C G n . Moreover, we abuse terminology by calling G n /A a torus, 
even though we can in general only embed it canonically into the torus R™/A. Note 
that both the circle R/i?Z and the torus G n /A have a fixed point 0. 

A natural generalization of a one-dimensional infrastructure would be a finite 
set X ^ together with an injective map d : X — > G n /A. Unfortunately, the 
situation is not as simple as in the one-dimensional case. The problem lies in the 
definition of /-representations and the giant step function, not to mention the baby 
step function(s). In the one-dimensional case, one has essentially two directions on 
the circle: one can go clockwise and counterclockwise. In fact, our circle M./RZ 
has a distinguished direction corresponding to the positive direction on the real 
line. This allows us to define baby steps as going "forward" , and we can define 
giant steps, /-representations and the reduction map by taking an element of d(X) 
"before" a point on the circle. 

As soon as n > 1, the torus G n /A has infinitely many directions, none of them 
more distinguished than others. This gives many more choices for giant steps, 
/-representations and reduction maps, not to mention baby steps. We will be 
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forced to include a particular choice in the definition of an n-dimensional infras- 
tructure. Before we do that, let us formalize the notions of reduction maps and 
/-representations and discuss their relationship. 

Let X be a finite set and d : X — > G"/A be a injective map. 

Definition 4.1. 

(a) a reduction map (for (X, d)) is a map red : G"/A — > A" satisfying red(d(ic)) = x 
for every 

(b) f -representations (for (X, d)) are a subset Rep-^ C X x G™ satisfying AT x {0} C 
Rep-f such that the map 

$ : Rep f G"/A, (a;, i) h> cf(x) + f 

is a bijection. 

If (A", c£) is a one-dimensional infrastructure, then the definition of red(x,d) as 
in Section [3] yields a reduction map in the sense of (a) , and Definition 13.31 and 
Proposition 13.41 yield /-representations in the sense of (b). 

Note that the condition red(d(x)) — x for reduction maps ensures that the only 
fixed points under the map d o red : G"/A — > G n /A are the elements in d(X); i.e. 
these elements can be interpreted as reduced elements: other elements of G ra /A will 
be mapped to a reduced element when applying red, while reduced elements are 
left unchanged under this map. 

We begin by outlining the relationship between reduction maps and /-represen- 
tations in the sense of Definition 14.11 This is analogous to the relationship in the 
one-dimensional case in Section |3l 

If red is a reduction map, then we obtain a set of /-representations by 

Rep f := {(x,t) e X x G" | ved(d{x)+t) = x}. 

Here, we choose pairs (x,t) such that d(x) + t e G"/A will reduce to x. If red 
satisfies d(red(s)) « s for all s € G"/A, then the permissible t values in the /- 
representations will be "small" . Moreover, the condition red(c?(ir) + 1) = x ensures 
that there is a unique /-representation (x,t) for every s 6 G n /A. 

Conversely, if Rep^ is a set of /-representations with induced bijection $ : 
Rep* — > G"/A, then we get a reduction map by 

red:G"/A^A:, s >->• 7ri($ _1 (s)), 

where 7Ti : A" x G™ — > X is the projection onto the first component. This is the 
direct generalization of the map red(x,d) m the one-dimensional case: given a point 
s on the torus G ra /A, we consider the /-representation (x,t) — $ _1 (s) representing 
that point, and return x = ni(x,t). 

Therefore, as in the one-dimensional case, the concepts of reduction maps and of 
/-representations are equivalent. We can continue as in the one-dimensional case 
and define giant steps using these two notions. If red : G n /A — > X is a reduction 
map, we define 

gs(x, y) := ied(d(x) + d(y)) 

for all x, y € X; if Rep^ are /-representations with induced bijection $ : Rep^ — > 
G"/A, we define 

gs(x,y) ^ttx^-^Ot.O) + 0))) 
for alia;, y £ X. Both definitions yield the same giant step operation on X. 
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This discussion gives rise to the following definition of an abstract n-dimensional 
infrastructure: 

Definition 4.2. Let A C G n be a lattice of full rank. 

(a) An n- dimensional infrastructure is a triple {X, d, red), where X ^ is a non- 
empty finite set, d : X —> G"/A an injective map and red : G n /A —> X a 
reduction map for (X, d) . 

(b) If (X, d, red) is an n-dimensional infrastructure, then set 

Rep f (X, d, red) := {(a;, t) G X x G" | red{d(x) + t) = x} 
and gs(x, a;') := red(d(x) + d(y j) for x, x' G X. 

Since R1 is a lattice in R 1 of full rank, we see that a one-dimensional in- 
frastructure (X, d) in the sense of Definition 13.11 is a 1-dimensional infrastruc- 
ture (X, d,red(x,d)) m the sense of Definition 14. 2 [ whose giant steps and /-repre- 
sentations coincide. This shows that our new definition is indeed a generalization 
of the notion of a one-dimensional infrastructure as in Section [3] or [Fon08j . 

We conclude this section with an example, which shows that n-dimensional in- 
frastructures can be seen as a generalization of finite abelian groups. Recall that Ex- 
ample GOJ showed how a finite cyclic group can be interpreted as a one-dimensional 
infrastructure, where the distance map was essentially the discrete logarithm map. 

Example 4.3. Assume that ZCG. Let G = (gi, . . . ,g n ) be a finite abelian group, 
and let 



A := { (ei,...,e„) G Z" 

' i=i 

be the relation lattice of gi, . . . , g n ; this is the kernel of the epimorphism Z" — > G, 
(e u . . . , e„) i— > Iir=i 9-\ whence G <= Z n /A. 

Concatenating the inverse of this isomorphism with the inclusion Z n /A C G n /A, 
we obtain an injective map <i : G — > G n /A. This map is the generalized discrete 
logarithm map with base 5 := (51, . . . , g n ), i.e. it satisfied = /i for every h e G. 

It is easy to see that Rep^ :=Gx(Gfl [0, 1))™ is a set of /-representations for 
(G, d); the corresponding reduction map maps s G G"/A to red(s) := Yi7=i ' 
if s = (ej)j + A. Therefore, (G,d, red) is an n-dimensional infrastructure. The 
induced giant step map is given by 

gs(>, h') = red(d(h) + d{h')) = hti 

for h, b! G G, since d(h) + d(h') = (ei, . . . , e n ) + A with e, G Z and f/^ 1 • • • g^j" = 

This shows that giant steps generalize the group operation in this case as well. 
In particular, in this case, the giant step operation is associative, as opposed to 
general n-dimensional infrastructures. 

5. Reduced Ideals 

Now that we have obtained a definition of an abstract n-dimensional infrastruc- 
ture, we want to construct such an infrastructure from a global field K . The aim 
of this section is to construct the lattice A C G™, the finite set X as well as the 
injective map d : X — > G"/A. In the next section, we will add a reduction map red 
for (X, d) such that {X, d, red) is an n-dimensional infrastructure. 



3 For g = (g u . . . ,g n ) £ G n and v = (v u . ..,«„)£ % n ; define g° := Yl?=i9i 
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For the rest of the paper, let G denote Z if K is a function field and M if K is a 
number field. 

In order to construct the underlying set X , we require the notion of a reduced 
(fractional) ideafl in analogy to Example 13.61 In case if is a function field, reduced 
ideals correspond to certain reduced divisors in the sense of [Hefi02 . 

The notion of a reduced ideal is rather geometric. To describe it, we define the 
notion of a box, which is the set of elements of an ideal (interpreted as a lattice) in 
a bounded area. An ideal will be reduced if a certain box contains elements only 
at very specific positions. Write S = {pi, . . . , p n+ i}, where n=\S\ — 1; then recall 
that the absolute value of an element h E K with respect to a place p is defined as 
\h\ p = q-vpWfe&P, where q > 1 is a constant. 

For tx,-.-, t n +x & G and an ideal a € ld(Ox), we define 

B(a, (tx,..., tn+x)) := {h G | Vt G {1, . . . , n + 1} : \h\ 9i < q** dcgp < }. 

The motivation of this definition comes from the number field case; in that scenario, 
a is a lattice of full rank under the Minkowski embedding K K<8>qM. = Mr, where 
d = [K : Q]. The box B(a, (tx, ■ ■ ■ ,t n +i)) is the set of lattice points lying in the 
symmetric compact convex set described by (f i, . . . , t n +i). If K is totally real, this 
convex set is a hyperrectangle (box) with side lengths 2e {l , . . . , 2e* ra+1 , and if K 
is totally imaginary, this convex set is the direct product of n + 1 closed discs of 
radii e* 1 , . . . , e*" +1 . If K is neither totally real nor totally complex, the convex set 
features both properties; for example, if K has one real embedding corresponding 
to pi and two complex conjugate embeddings corresponding to p2, the convex set 
is a cylinder of length 2e 41 and radius e' 2 . Figure [3] on page [TU] displays the box 
with parameters t\ — t2 = in the real quadratic number field K = Q(\/2) as the 
grey square in the center. 

If fi € K*, we define the abbreviation 

B(a,fi) := B(a,(-v Pl (fJ,),...,-v Pn+1 (p f ))). 

This is the smallest box which would containing /i if /i € a. With this, we are able 
to define reduced ideals: 

Definition 5.1. 

(a) An element /i E a \ {0} is said to be a minimum of a if for every h E B(a, /i) 
we either have h = or |ftL = |/iL for all p E S. Denote the set of all minima 
of a by £ (a). 

(b) An ideal a is said to be reduced if 1 E a is a minimum of o. 

The notation of £(a) for the set of minima goes back to Y. Hellegouarch and 
R. Paysant-Le Roux |HP85j . 

The property that /i is a minimum of a means simply that the box B(a, /i) is 
empty, up to a few elements which always need to belong to B(a,fi): is always 
contained in B(a, fx), as well as /i and e\i for all e E k* , since all absolute values of 
elements in k* are 1. Hence, we ask that all elements in B(a, /i) are either or have 
the same infinite absolute values as fi. For example, in Figure 1 and 1 + V2 are 
minima of O k , while y/2 is not, since 1 E B(O k ,V2) \ {0} has different absolute 
values than y/2. 



Recall that we always mean "non-zero fractional ideal" when we write "ideal" , if not explicitly 
said otherwise. 
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Under certain circumstances, there can be elements in a with the same infinite 
absolute values as fj, other than efi, e G k* , and these elements thus belong to 
B(a, fi) as well. These elements are the reason why the aforementioned equivalence 
relation is needed: if a £ a is such an element, then -a is a reduced ideal different 
from a which will be mapped to the same element by our distance map. For that 
reason, we have to identify any two such ideals if such elements can exist. 

The following proposition shows that in many important situations, such ele- 
ments cannot occur. This includes in particular the case when an infinite place of 
degree one exists. For number fields K, this is always the case unless K is totally 
imaginary, and for function fields one can always move to a constant field extension 
by a splitting field for one of the infinite places. Many treatments of the infras- 
tructure and of arithmetic in function fields require such a place of degree one, 
sometimes explicitly as for HcB' arithmetic [Hefi02j and sometimes implicitly by 
restricting to certain classes of fields; for example, every real quadratic field has 
exactly two infinite places of degree one, and a cubic number field always has a real 
embedding. 

Proposition 5.2. Assume that degp = 1 for some p £ S. Let b be a reduced ideal. 
Then 5(b,(0,...,0)) = k. 

Before we proceed with the proof, we need to introduce a right inverse div : 
IA{Ok) -> Div(if) to the natural map Div(K) IA{Ok) described in Section [5] 
For a fractional ideal b — Ilp^s( m p n C/f)" p , define div(b) := — J2pgs n pP- This 
allows us to relate boxes to Riemann-Roch spaces: we have 

, n+l v 

B(a, (ii,..., t n+ i)) = L ( div(a) + ^ trfi J; 

^ i=l ' 

here, L(D) := {/ G K* | (/) > -D} U {0} for D G Div(K) is the Riemann-Roch 
space of D. 

Proof of Provosition \5 . l A If if is a number field, then degp = 1 means that p 
corresponds to a real embedding; hence, \h\ p — \h'\ for h,h' £ K if and only if 
h = ±h'. Thus, if b is reduced, B(b, (0, . . . , 0)) = k = {-1, 0, 1}. 

If if is a functi on field, then B{b, (0, . . . , 0)) = L(div(b)) D k, and L(div(b)-p) = 
0. But by |Sti931 Lemma 1.4.8], 

= dim fc L(div(b) -p)< dim fe L(div(b)) 

< dim fc L(div(b) -p) + degp = 1, 

whence B(b, (0, . . . , 0)) = k. □ 

For the rest of the section, we fix an ideal a G ld(0/f ). There is a close relation- 
ship between the set of minima of an ideal and the set of reduced ideals in the ideal 
class of that ideal. First note that the unit group 0* K of Ok operates on £ (a) by 
multiplication: if /i G £ (o) and e G 0* K , then e/i £ £(&)■ This shows that the map 

£ (a)/0* K -> U(O k ), uO K ^±a 

is well-defined and injective. The image of this map is exactly the set of reduced 
ideals in the ideal class of a. Denote this set by Red(a). This set, modulo the 
aforementioned equivalence relation, will be our set X. 
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Note that in case K is a function field with degpi = f for some i, the reduced 
ideals b £ Red(K), where 

Red(K) := (J Red(a), 

aeld(G) 

correspond exactly to the divisors D £ Div(K) that are reduced with respect to p, 
in the sense of Hefi |Hefi02] and satisfy v p . (D) = for j £ {1, . . . , n + 1}. This is 
due to the relationship between boxes and Riemann-Roch spaces sketched above, 
and the correspondence is given by b ^ div(b). 

Next, we want to construct the distance map d. In the process of constructing 
d, we obtain the lattice A and derive the equivalence relation needed to define X. 
We begin with the map 

*: K* ^G n , h^{-v Pl {h),...,-v 9n {h)), 

which maps (K* , •) homomorphically into (G™, +). This map plays a crucial role in 
constructing the distance map. The image of 0* K under ^ is a lattice in G™ C R n ; it 
is called the unit lattice of Ok and is denoted by A. For number fields K, A always 
has full rank; this is a consequence of Dirichlet's Unit Theorem. For function fields, 
A has full rank if and only if T is finite. In case A has full rank, we have 

, a R 

det A = FT" A 

In case 0* K has full rank, G n /A C W 1 / A is an n-dimensional torus that will be the 
codomain of our distance map d. 

Note that j-a = jja if and only if h'h' 1 £ 0* K , and this implies £ A. 

Therefore, the map ^{h) + A is well-defined. Ideally, this map will represent 

our distance map. Unfortunately, it is in general not injective on Red (a), whence 
we need to identify elements in Red(a) which are mapped onto the same element 
of G"/A under the map H> ^(h) + A. We will define an equivalence relation ~, 
study it in more detail, and then show in Proposition 15 . 51 that it indeed makes this 
map injective. 

If b, b' are ideals in the ideal class of a such that b = hb' with \h\„ = 1 for all 
p £ S, then b and b' are mapped to the same element of G"/A. Hence, we can 
define the equivalence relation ~ on Id(0/<-) by 

b~ b' :^=> 3h £ K* : b = hb' AVp £ S : \h\ p = 1. 

We thus see that the map Red(a)/^ -t G"/A via [-aL n- &(h) + A is well- 
defined, but we are left to show that it is injective. Note that the above equivalence 
relation ~ is not the equivalence relation on ideals used to define the ideal class 
group Pic(Oif ): we impose the additional condition that \h\„ = 1 for all p £ S. 

We can deduce from Proposition [5]2] that this equivalence relation ~ is trivial in 
case an infinite place of degree one exists: 

Corollary 5.3. Assume that degp = 1 for some p £ S . Let b and b' be two reduced 
ideals. Then b ~ b' if and only if b = b' . 

Proof. If b = hb 1 with \h\ p = 1 for all p £ S, we get h £ B(b, (0, . . . , 0)) and thus, 
by Proposition EH h £ k* C 0* K . □ 

In the general case, testing ~ is more complicated. The following proposition 
shows how this can be done: 
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Proposition 5.4. Let b and b' be two reduced ideals. Then b ~ b' if and only if 
£(b(b')~\(0, ...,0)) ^{0} and degdiv(b) = degdiv(b'). 

Note that in case if is a number field, degdiv(b) = — logNormx/Q(b), and in 
case if is a function field, degdiv(b) = — degNoruiK/k(x)(b). 

Proof of Proposition \5.4\ If b ~ b' , there exists h G K* with hb 1 = b such that 
\h\ p = 1 for all peS. Hence, b(b') -1 = hO K and h G 5(b(b')~\ (0, . . . , 0)). 
Moreover, div(b(b') _1 ) = (h^ 1 ) is principal, i.e. of degree zero, whence degdiv(b) = 
deg div(b'). 

Conversely, we see that div(b(b') _1 ) must be principal as deg div(b(b') _1 ) = 0. 
Hence, there exists h G K* with div(b(b') _1 ) = O" 1 ). But then b(b') -1 = hO K 
and v p {h) = for all p G S, i.e. b ~ b'. □ 

We have now obtained a well-defined map H> ^(h) + A, and we are able to 

test whether b ~ b' for ideals b, b' G Red(if ). The next statement shows that this 
map is injective when restricted to the non-empty set Red(a)/~, and that Red(a)/^ 
is finite for all global fields and some non-global function fields. 

Proposition 5.5. The map 

d a : Red(a)/~ -> G"/A, [±a]~ -> + A 

is injective. In case K is a number field, or K is a function field and T is finite, 
the set Red(o)/^ is finite. In any case, it is non-empty. In case K is a global field, 
Red(a) itself is finite as well. 

Recall that when if is a function field with finite constant field, then T is always 
finite. Note that the injectivity of d a for number fields is also shown by Schoof in 
|Sch081 Lemma 9.2 (ii)]. The finiteness result for global fields is well known, see for 
example [HP$5i Theorems 3 and 4]. 

Proof of Provosition \5.5l For injectivity, assume that d a (ia) = d a (±a); this means 
that - G A. If we choose e G 0* K with = - we obtain 

M p = k^'lp f° r every p G 5. Therefore, h := jj^ satisfies |/i| p = 1 for all p G S, 
and /i • id = -^■e^ 1 a = -Ka, whence -a ~ -^-a. 

fj, jj, M MM 

To see that Red (a) is non-empty, it suffices to show that a has at least one 
minimum. This can be done directly using Riemann's Inequality or Minkowski's 
Lattice Point Theorem, or one can use tools as the Reduction Lemma \6. 61 applied 
to (a, (0, ... ,0)). It returns a tuple whose first component is the equivalence class 
of an element in Red (a). 

In case if is a function field and T is finite, the finiteness of Red(a)/^ follows 
from the fact that <G n /A is finite, since T is isomorphic to a subgroup of G n /A of 
finite index. If moreover k is finite, note that the equivalence class [b]^ of b is finite 
for every b since b = fb' with |/| = 1 for all p G S implies / G B(b, (0, . . . , 0)), 
which is a finite A:- vector space and thus also a finite set. Therefore, Red(b) is the 
union of finitely many finite sets. 

Finally, in case if is a number field, Remark 16.41 (b) and Proposition 18.11 show 
that if b is a reduced ideal, then b _1 is an integral ideal with bounded norm. As 
there are only finitely many of these, Red(a) itself is finite. □ 
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Assume that if is a global field. If we define X a :— Red(a) we obtain the first 
ingredients of an rt-dimensional infrastructure: a finite set X a , a lattice A C G™ of 
full rank, and an injective map d a : X a G"/A. 

The map d a takes the equivalence class of a reduced ideal b in the ideal class 
of a, say b = -a, and maps it to its "distance" ^(a*), which is well-defined up 
to elements of A. Chosing the logarithmic absolute value vector of the relative 
generator fj, as the distance generalizes Shanks' original definition of distance in 
infrastructures [Sha72j . and is used in most treatments of the infrastructure, for 
example in the works of Buchmann and Williams. A notable difference is Lenstra's 
distance function Len82] . In the case of function fields, this is also the common 
measure used to define distances, at least in the case of unit rank one PR99, SchOI , 
ILan09j . 

In this section, we obtained for every a £ Id(Q) a finite set X a , a lattice of full 
rank A C G™, as well as an injective map d a : X a —> G"/A. Here, we needed to 
assume that if is a global field to ensure that X a is finite and A is of full rank, 
though this can also be true for certain function fields with infinite constant fields. 
In fact, for arbitrary function fields, X a is finite if, and only if, A is of full rank. The 
ingredient this is still missing in order to obtain an n-dimensional infrastructure in 
the sense of Definition 14. 2\ namely, a reduction map, will be defined in the next 
section. 

6. /-Representations in Global Fields 

In this section we introduce /-representations Rep^(a) for (Red(a) /^,d a ). Using 
the equivalence of /-representations and reduction maps discussed in SectionHl this 
yields a reduction map red" : G n /A — > X a = Red(a)/~, so that (X a , d a , red") is an 
n-dimensional infrastructure in the sense of Definition 14.21 

Before we define /-representations for arbitrary number fields and function fields, 
we want to consider a special case, namely degp n+ i = I . In this case, the defini- 
tion of an /-representation can be drastically simplified and stated with a lot less 
technical involvement. We distinguish the simpler scenario from the general case 
by appending an asterisk to the / in /-representations. By Corollary 15.31 we can 
replace Red(a)/^ by Red(o) itself, as every equivalence class [b]^ contains exactly 
one reduced ideal. Recall that in this case, an ideal b G ld(0/f) is reduced if 
B(b, (0, . . . , 0)) = k by Proposition 15.21 An /-representation should be a reduced 
ideal b together with numbers t±,...,t n > which determine how far the box 
B(b, (0, . . . , 0)) can be enlarged in the directions of pi,... ,p n without containing 
anything but k. More precisely: 

Definition 6.1. An f* -representation is a tuple (b, (ti, . . . , t n )) £ Red(a) x G" 
such that B{b, (ti, . . . , t n , 0)) = k. Denote the set of all /^representations in 
Red(a) x G" by Rep / *(a). 

We say that (b,t) £ Repf*(a) represents d a {[b]^)+t£ G n /A. 

Remark 6.2. 

(a) If b £ Red(o), then always (b, (0, . . . , 0)) £ Rep / *(a). 

(b) If b = — a for some /i £ K*, and if ti,...,t n £ G are elements such that 

B(b, (ti,...,t n , 0)) = k, then (b, (0, . . . , 0)) £ Rer/*(a). In particular, b G 
Red(a). This shows that the assumption that b G Red(a) in the definition is 
not actually needed. 
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Now wc drop the assumption that degp„+i = 1. We have to introduce certain 
technicalities to ensure that /-representations are well-defined. First, as in the case 
of reduced ideals, we will only have k C B(b, (t\, . . . ,t n ,0)). To ensure that this set 
does not contain too many elements, we need to introduce a technical tool, namely 
a total preordeJl on K*. For h, ti £ K* , define 

h < ti :<{=► (\h\ pn+i , \h\ pi ,. . . , \h\J < eex (\h\ n+1 ,\h'\ pi ,. . . , \ti\ p J, 

where <i ex is the usual lexicographical order on R" +1 . Using this notion, we define 
/-representations as follows: 

Definition 6.3. An f -representation is a tuple ([b]^, (ii, . . . , t n )) £ Red(a)/^ x G n 
such that 1 € B(b 7 (ti, . . . , i„,0)) \ {0} is a smallest element with respect to <. 
Denote the set of all /-representations in Red(a)/^ x G™ by Rep^(a). 

As above, we say that ([b]^,t) £ Rep^(o) represents d°([b]^) + 1 £ G"/A. 

The condition that 1 is a smallest element with respect to < ensures that all 
elements h £ B(b, (t%, . . . , t n , 0)) \ {0} satisfy |/i| p = 1- Moreover, it ensures that 
b is reduced, since any element in B(b, (0, . . . , 0)) \ {0} whose absolute values are 
not equal to 1 would be strictly less than 1 with respect to this order. 

In fact, the choice of < is somewhat arbitrary. One could replace < with any 
other preorder on K* such that: 

(a) if h,h' £ K* satisfy \h\ Pn 1 < \h'\ Pn x , then h < h'; 

(b) if h, ti, h" £ K* satisfy h' < h", then hti < hh"; 

(c) for every ideal b and any t%,... ,t n+ i £ G, the set B(b, (ti, . . . ,t n+ i)) \ {0} 
has a smallest element with respect to < if it is non-empty, and this element 
happens to be a minimum of b in the sense of Definition 15.11 

(d) if h < h' and ti < h for h, ti £ K* , we have \h\ p = \h'\„ for every p £ S. 

The choice of < as the lexicographical order on vectors of absolute values is a 
convenient choice satisfying these conditions, in particular since it is well-suited for 
computations. 

In case degp„+i = 1, /-representations and the simpler /^representations coin- 
cide; this is shown in Proposition l6.5l Before we establish this, we state a few more 
remarks. 

Remark 6.4. 

(a) The definition of an /-representation depends only on the equivalence class 
[6]^ of b: if b, b' are two reduced ideals with b ~ b', an element with given 
absolute values in B(b, (t\, . . . , t n , 0)) exists if and only if an element with the 
same absolute values exists in B{b' , (ti, . . . , t„, 0)). Therefore, Rep^(a) is well- 
defined. 

(b) If (b, (ti,...,t„)) € W(a), then ([b]^, (h, . . . , t n )) £ Rep? (a). 

(c) If b £ Red(o), then always ([b]^, (0, . . . , 0)) £ Rep-^(a). That is, the reduced 
ideals in the ideal class of a, modulo the equivalence relation ~, can be embed- 
ded into Rep-^(a). 

(d) If b = for some fi £ K*, and if ti,...,t n £ G are elements such that 
1 £ B(b, (ti, . . . , t n , 0)) \ {0} is a smallest element with respect to <, then 



A total preorder < on a set X is a binary relation which is reflexive and transitive such that 
for every x, y £ X, we have x < y or y < x. 
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(0, . . . , 0)) G Rep-^(a). In particular, b G Red(a). This shows that the 
assumption that [b]~ G Red(o)/^ in the definition is not actually needed. 

As mentioned before, in case of degp n+1 = 1, /-representations are equivalent 
to the simpler /^-representations introduced first: 

Proposition 6.5. The map 

Rep / *(o) -> Rep / (a), (b, (tx, . . . , t n )) >-> ([b]~, (t x , . . . ,*„)) 
is always an injection. If further degp„+i = 1, it is a bijection. 

Proof. The map is well-defined by Remark 16.41 (b). To see that it is injective, note 
that k C B(b,(0,...,0)) C B(b,(h,...,t n ,0)) = k for (b,(ti,..., t n )) G Rep / *(a), 
whence b ~ b' for b' G Rcd(a) implies b = b'. Therefore, [b]^, contains exactly one 
element, whence ([b]^, (t\, . . . , t n )) has exactly one preimage. 

To see that the map is surjective in case degp„+i = 1, let ([b]^, (tx, . . . ,t n )) G 
Rer/(a). Note that |/i| p = 1 for all h G B(b, (tx, ...,t n , 0))\{0}. We can proceed 
in a very similar manner as in the proof of Proposition [572] In case K is a number 
field, this shows that B(b, (tx, . . . , t n , 0)) = {-1,0,1} = k. 

In case if is a function field, B(b, (tx, ■ ■ ■ ,t n ,0)) = L{D) with D := div(b) + 
52™=i tipi, and we know that L{D— p n +i) = {0}. As in the proof of Proposition [5^1 
we must have dimfc L(D) — 1, whence 1 G L(D) implies L(D) = k. 

So in both cases, B(b, (tx, . . . , t n , 0)) = k, whence (b, (ti, . . . , t n )) G Rep^*(o) is 
a preimage of ([f>]~, (ti, ■ ■ • ,t n )) G Rep^(a). □ 

Before we show that Rep-' ? (o) is indeed a set of /-representations for (Red(a)/^, 
d a ) in the sense of Definition 14.11 we show the following two lemmata, which illus- 
trate how /-representations can be obtained ( "reduction" ) and in which way they 
are unique. These lemmata are crucial to prove that the induced map Rep / (a) -> 
G"/A, (x, t) M- d a (x) + t is a bijection: the Reduction Lemma shows that the map 
is surjective, and the Uniqueness Lemma shows that the map is injective. 

The first result, the Reduction Lemma, shows that any tuple (b, (tx, ■ ■ ■ ,t n )) G 
Id(O^) x G™ can be reduced to an /-representation. Similar to reducing an ideal, 
this procedure divides by a minimum /i of the ideal. The ti have to be adjusted 
by the valuations of fj,. In particular, this result shows that for every ideal a, the 
set Red(a) is not empty, hence giving another proof of the non-emptiness result in 
Proposition 15.51 In fact, the proof is very similar to the proof of that proposition, 
except that here, we divide by a very specific minimum of b. 

Lemma 6.6 (Existence and Reduction). Let b be any ideal equivalent to a, and let 
tx, ■ ■ ■ ,t n G G. Then there exists a smallest £ G G such that B( := B(b, (tx, ■ ■ ■ , t n , £)) 
\{0} is non-empty. If \i G Bg is a smallest element with respect to <, then 

{[^b]^(t 1 +v Pl { l i),...,t n + v Pn (ji))) G Rep^o). 

The proof of Lemma 16.61 shows why £ and /x exist, as claimed in the statement 
of the lemma. 

Before we prove this result, we want to discuss it in the function field case. Let 
D = div(b) + J27=i tiPil then Bg = L(D + £p n +i) \ {0}. In the case of function 
fields with degp n+ i = 1, Hefi' reduction method as described in |Hefi02j works by 
minimizing £ with L(D + £p n+ i) ^ {0}, then chosing an element [i G L(D + £p n+1 )\ 
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{0} and replacing D by 

n 

D + £p n+1 + (p) = div(ib) +Y J ( t i + t, pM)Pi- 

i=i 

Since degp n+ i = 1, dinife L(D + £p n +i) = 1, so the choice of < does not matter: 
any other element // of Bi will yield the same reduced divisor D + (//). 

If degp„ + i > 1, the condition that /j, is a smallest element in Bi with respect to 
< ensures that a is indeed a minimum of b, i.e. that is reduced in the sense of 
Definition 15.11 This shows that the procedure described in the lemma generalizes 
Hefi' reduction. 

Note that if we consider the set X — UfeG^' then X has a smallest element 
with respect to <, and every such smallest element \x will satisfy that I = —Vp n+1 (/i) 
is minimal with Bi ^ 0: this is ensured by the choice of <, which "prefers" elements 
with smaller absolute value |«| p i . Hence, we could relax the lemma by not asking 
that £ is minimal, but just that Bi ^ 0. 

Proof of Lemma WR If £ <C 0, we have Bi — by the Product Formula^ For 
£ ^> 0, we get that Bi ^ by Riemann's Inequality, respectively, Minkowski's 
Lattice Point Theorem. Choose <eG minimal such that Bi ^ 0; in the number 
held case, this is possible since Bi is a finite set: hence, if £' is chosen such that B^ 
is non-empty, we can choose £ = — ma,x{v fSn+1 (x) | x G Be}. 

If if is a number field, then Bi is a finite set, whence a minimal element with 
respect to < clearly exists as well. If if is a function field, then the infinite val- 
uations v v for p € S take on only finitely many values on Bi since Bi U {0} is a 
finite-dimensional vector space, whence the existence of /j. is clear, too. 

If £ is minimal, we have — ^p„ +1 (A*) = £ by choice of /i. Moreover, 

B(±b, (ti + u Pl (ji), . . . , t n + v Pn (/i), 0)) = ifi(b, (ii, . . . , i„,^)) 

and, by choice of /i, we have that 1 = - lies in this set and is minimal among 
the non-zero elements with respect to <• Hence, by Remark 16.41 (c), the claim 
follows. □ 

The second result, uniqueness, shows that reducing an /-representation will al- 
ways yield the same /-representation. This will be utilized in showing that the map 
Rep^(a) — > G™/A is injective: in the proof of Theorem 16.81 we will show that if 
two /-representations are mapped onto the same element of G n /A, then one is a 
reduction in the sense of the Reduction Lemma \6. 61 of the other. 

Lemma 6.7 (Uniqueness). Let A :— ([b]^, (ti, . . . ,t n )) S Rep^(a) and let \x G K* 
such that B := ([^b]^, (ii + v Pl (/x), . . . , t n + ^ p „(a*))) £ Rep^(a). Then \fi\ p = 1 for 
all p G S, and hence A = B. 

Proof. As 1 € B(±b, 0i+i/ Pi (m), • • . ,t n +v Pn {^),0)), we get (i = fi-1 e ( Jl B(±b,(t 1 + 
i/p 1 (/i),...,t n + fp„(At),0))\{0} = B(b, (*i,...,i„, -^p n+1 (M))) \{0}- Hence, /j, is 
minimal in B(b, (t\, . . . ,t n , — v Pn+1 {p))) \ {0} with respect to <. By the choice of 
<, it is also minimal in B(b, (ii, . . . , t ni max{0, — ^p„ + i(m)})) \ {0}; but then, by 
the same argument, 1 is minimal with respect to < in the same set. Thus, we get 
fi < 1 < fx, which shows that |/z| p = 1 for every p £ S. □ 

^Here, a statement being true for i<0 (respectively, i>0) means that there exists some N 
such that the statement holds for all x < N (respectively, x > N). 
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Now we will state our main result in this section, which asserts that the set 
Rep' (a) as given in Definition 16.31 indeed defines a set of /-representations for 
(X a ,d a ) in the sense of Definition 14.11 This can be seen as generalizing Propo- 
sition 13.41 for the one-dimensional infrastructure case. Note that the set X a = 
Red(a)/^ is possibly infinite if if is a function field and k is not finite. 

Theorem 6.8 (Infrastructure, Part I: Correspondence between /-representations 
and G"/A). The map 

$ a : Rep' (a) ->■ G n /A, ([&]-,*) i-> d a (b)+t 
is a bijection, and ([b]~, (0, . . . , 0)) <E Rep' (a) for every [b]„ £ Red(a)/^. 

Note that this result generalizes the injectivity of d a in Proposition [53] for that 
result, it suffices to note that the map Red(o)/^ — > Rep' (a), [b]^ h-> ([b]^, (0, . . . , 0)) 
is an injection. 

Proof of Theorem \6.8i The second part is Remark 16.41 (b). For the injectivity of 
let A = ([b]~,(ii,...,i„)),A' = ([b'U(t' 1 ,...,t' n )) G W(o) with $°(i) = 
$ a (A'). Write b = ±a and b' = jja. Then there exists e £ 0* K with + 
(ti,...,t n ) = + ...,<)+*(e). Define a*" := //- V's; then *<+!/„,(/*") = *■ 
and -jp-b = b', whence by the Uniqueness Lemma \6 .71 we get A — A' . 

For the surjectivity of $ a , let (ti, . . . , t„) + A G G"/A. Then by the Reduc- 
tion Lemma [6.61 there exists /i £ a such that A" = ([-Cl]~, (ti + ^ Pl (/i), . . . ,t n + 

VpM)) G Rep/(o). Now $ a (A") = + (ij +Vp 1 (fl),..-, t n + u Pn (p)) + A = 
(ti, . . . , t n ) + A, as we wanted to show. □ 

So far, we have obtained a set X a — Red(a)/^ of classes of reduced ideals 
equivalent to a, together with a distance map d a : X a — > G"/A and a set of /- 
representations Rep' (a) C X a x G n /A for (X a ,d a ). This means that the map 

<J>° : Rep' (a) -> G"/A, (x, t) h-> d°(a;) + t 

is a bijection, and we know that (x, 0) € Rep'(a) for all x £ X a . This allows us to 
define a reduction map 

red : G"/A -> A a 

for (X°,<i a ) as in the previous section, by taking red n (?;) to be the first component 
of ($ a )- 1 (w) £ Rep'(a). Therefore, assuming AT is a global field, {X a , d a : red") is 
an n- dimensional infrastructure, and we obtain a giant step 

gs a (x, x' ) : = red" (d a (x) + d a (x' ) ) , x, x' £ X a . 

Moreover, as in the one-dimensional case, we can use $ a to turn Rep' (a) into an 
abelian group by pulling back the group operation from G"/A: for A,B £ Rep' (a), 
define 

A® a B := ($ a )- 1 ($ a (A) + $ a (B)). 

Then (Rep' (a), © ) is an abelian group isomorphic to G™/A via $ a . We de- 
note this group operation by © a and not by + since in the next section, we will 
equip UoeidCdf) R- e P ( a ) with a group operation named + which is related to the 
(Arakelov) divisor class group of K. Now (Rep' (Ok )> ®O k ) wm be a subgroup of 
U aeId ( C , K - ) Rep' (a), but no other (Rep'(a),® a ) will be a subgroup. Therefore, we 
reserve the symbol + for the operation defined in the next section. 
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If a = Ok, then the results in the next section allow us to explicitly describe the 
group operation on Rep 7 (0/f). It is essentially ideal multiplication, followed by a 
reduction: if A = ([£>]„, (t u . . . , t n )), B = ([b']~, (t[, . . . ,t' n )) € Rep 7 (0k), we can 
apply the Reduction Lemma [6761 to (bb', (t% +t[,..., t n + t' n )). In case a 7^ Ok, one 
can still describe the group operation © on Rep 7 (a), but one cannot use simple 
ideal multiplication since bb' will not be in the ideal class of as soon as a is not a 
principal ideal; and even if is principal, distances will be added incorrectly. The 
correct formula is given as follows: 

Proposition 6.9. Let A = ([b]~, (ti, . . . , t n )),B = ([b']~, . . . ,t' n )) € Rep 7 (a). 
Apply the Reduction Lemma \6.6\ to (bb'a -1 , (ti + t[, . . . ,t n + t' n )), and denote the 
result by C. Then C € Rep 7 (a) and Affi„ B = C '. 

Proof. Write b — —a and b 1 = -^a. Then bb'a -1 = a lies in the ideal class of o. 
We can now conclude with 

$ a (C) = ^(bb'cT 1 ) + {tl + t[, . . . , t n + t' n ) 

= d a (b) + (h,..., t n ) + d a (b') + (*;,..., t' n ) = $ a (A) + □ 

This result is similar to Remark 13.51 and Example 13.61 in the one-dimensional 
case: the reduced ideals are multiplied and the product is then reduced. In case 
a Ok, a correction factor needs to be multiplied to the product of the ideals. 

In this section, we saw how to construct a set of /-representations Rep 7 (a) and, 
therefore, a reduction map red" for (X a ,d a ) = (Red(a)/^, d a ), thereby turning 
this pair into an n-dimensional infrastructure (X a , d a , red ). We also saw how to 
explicitly compute the group operation induced by the bijection Rep 7 (a) — > G n /A 
in terms of ideal multiplication followed by reduction. This also shows how the 
giant step operation gs([b]^, [b']^) can be computed, by ignoring the i-part of the 
resulting /-representation ([b]~, 0) (Ba ([b']~, 0). This operation generalizes Shanks' 
original approach as sketched in Example 13.61 

7. Relation to the Divisor Class Group 
In this section, we want to relate the set of all /-representations, 

Rep 7 (if) := (J Rep 7 (a), 
a£ld(0 K ) 

to the (Arakelov) divisor class group Pic (if). In case if is a number field, or in 
case if is a function field and degp n +i = 1, we obtain an isomorphism Rep 7 (if) — > 
Pic (if). In case if is a function field and degp n +i > 1, we can identify a subset 
of Rep 7 (if) with Pic (if). We show that we can then extend Pic (if) to obtain a 
group which is isomorphic to Rep 7 (if). Finally, we show how to perform effective 
arithmetic in Rep 7 (if). 

To motivate the fact that there is a relationship between our infrastructures 
(1°, d a , red") together with Rep 7 (o) and the (Arakelov) divisor class group Pic (if ), 
we first consider the aforementioned special case. Assume for a moment that 
degp„ + i = 1, or that if is a number field. In this case, we have the short ex- 
act sequence 



T ^ Pic (if ) Pic(Otf) ^ 0, 
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and we have T = G n /A. Moreover, we have a representation of G"/A by Rep/ (a) 
for every a € Id(C/<), which consists of all /-representations whose reduced ideals 
range over all reduced ideals in the ideal class of o. By the short exact sequence, 
clearly the (Arakelov) divisor class group Pic (if) is covered by |Pic(0#: )| copies of 
G n /A, whence one might hope that Pic°(AT) can be described in a nice way using 
Rep/ (AT) — \J ae id(o K ) R e p/( a )- This turns out to be the case. In fact, Paulus and 
Ruck already showed this for the special case of the infrastructure obtained from a 
real hyperelliptic curve in [PR99 . 

In the general case, i.e. if degp„+i is not necessarily 1, T can be embedded into 
G"/A, but might not cover the entire set, and the map Pic°(AT) — > Pic(Ok) might 
not be surjective. This can only happen in the function field case. It would be 
desirable to have a short exact sequence 

(*) > G n /A ^Pic(O^) ^0 

for all function fields, into which the exact sequence 

(**) T Pic (AT) ^Pic(0 K ) 

embeds in a natural way. If D is a divisor with deg D ^ 0, one obtains an exact 
sequence 

— »- Pic°(if) — >■ Pic(K)/([D]) (degp | p e V K )^/{dcgD)Z 0. 

For the right choice of D, we obtain that Pic (AT) /([D]) is the right replacement for 
the "?" in Equation ((*}. The exact relationship between the exact sequences in 
Equations and will be described later in Proposition 17.21 

We now state the main result for this section, which identifies the set of f- 
representations with the Arakelov divisor class group, or with an extension of 
Pic (if). 

Theorem 7.1 (Infrastructure, Part II: Relating /-representations to the divisor 
class group). 

(a) Let K be a number field. Then the following map is a bijection: 
$ : Rep/ (AT) -> Pic (AT), 



([b]~,(ti,...,i„)) h-> 



div(b) + 2^ Upt dc g p„ +1 Pn+i 



(b) Let K be a function field. Then the following map is a bijection: 
$: Rer/(if)^Pic(if)/{[p n+1 ]), 



([b]^, (*!,...,*„)) h-> 



div(b) + ^£ip, 

i=i 



([Pn+l]) 



Proof. Clearly, the divisors in the definition of $ in the number field case are all 
of degree zero. Hence, one can treat both cases at the same time by ignoring the 
valuations of the divisors at p n +i. First, note that the maps are well-defined, since 
if b is replaced by hb for some h e if* with \h\ = 1 for all p G S, then div(b) is 
replaced by div(b) — (h) = div(hb). 
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To show injectivity, let A = ([b]~, (ti, . . . , t n )) and A' = ([b']~, ... ,*'„)) G 
Rep^ (if) with = i.e. let he K* and feG with 

n n 

div(b) + *#< = div ( b ') + H *<fc + ( h ) + 
j=i »=i 

This gives ±b' = b and = i' i + z/ Pi (/i). But then, A = ([^b'], (4+^pi 0), • • ■ ,4 + 
i / p n (/i))), whence by the Uniqueness Lemma [6.71 we get \h\ = 1 for every p G 5. 
But this implies A — A'. Therefore, $ is injective. 

For surjectivity, let [D] G Pic (if), respectively, [D] G Pic(if)/([p„ +1 ]). Write 
D = div(a) + YTi=i hPi + Zpn+i for a G Id(C K ), i x , . . .,t n ,£ G G. By Reduction 
Lemma [tTBl there exists a /i G b such that £? = ([^ft]~, (ti + . . . ,t n + 

fp„(£t))) G R e P^(-?0; anci , up to pn+i, the divisor in $(-B) equals 

n n 

div (i a ) + + "P^))?* = div ( a ) + W ~ ^Pn+iWPn+l, 

z=l i=l 

i.e. = [£>]. □ 

Note that this gives, in particular, an embedding of Ked(K)/^ into Pic (if), 
respectively, Pic(if )/([p n+ i]), where Red(if) = {J aG id(o K ) R- ed ( a )- I n tne case 
of number fields, Schoof gave a similar embedding in |Sch08] ; more precisely, he 
embedded Red(if) in the oriented Arakelov divisor class group Pic (if), which is 
a cover of Pic (if). Moreover, his embedding assigns different valuations for the 
infinite places. Our embedding has the advantage that it works in a very similar 
way for both number fields and function fields. In the case of real hyperelliptic 
function fields, our embedding is the same as the one by Paulus and Ruck PR99, 
Theorem 4.2]. Moreover, in part (b) of the theorem, the divisor whose class is 
taken is reduced along p n +i in the sense of Hcfi [Hc602_. In case degp n+ i = 1, this 
shows that /-representations directly correspond to arbitrary reduced divisors in 
the sense of Hefi which are reduced along p„+i. 

Finally, note that if we denote by G[p„+i] the 1-parameter subgroup {[gpn+i] | 
g G G} of Pic (if) in case if is a number field, then we can identify Pic (if) with 
Pic(if )/G[p„+i]. Hence, we can write $ as 



$ : Rep' (if) -> Pic(if)/G[p n+ i] 



([b]~, (*!,...,*„)) H' 



div(b) +^2tipi 



[Pn+l\ 



for both number fields and function fields. Thus, Theorem 17.11 completely unifies 
the number field and function field scenarios. 

Before describing how the group operation on Rep' (if) induced by the one on 
Pic(if )/G[p ra +i] can be computed, we want to state a result on the interrelations 
between all aforementioned groups. For that, we first make clear how the map 
T -> G"/A is defined. Assume that T = Div^if )/(0* K /k*), where 0* K /k* is 
embedded into Div° JO (if) by forming principal divisors. Then we obtain a map 
T G n /A by mapping the class of SpeS^pP *° (*Pn • • • >*pn) + A- This map is 
clearly injective. In case if is a number field or if degp n+ i = I, it is surjective as 
well. 



2(5 



FELIX FONTEIN 



Proposition 7.2. The diagram 
>■ T 



G n /A 
— ^Repf(0 K )- 



Pic (if) 

f 

Pic(if)/G[p n+1 ] 



Pic(0 K ) 



Pic(0 K ) 







commutes. In case K is a function field, the image ofT in G"/A is the set 
(t l ) l + AeG n /A 



degp„+i divides degpj L 

i=l J 



and the image of Pic (K) in Rep-^ (if) is the set 



([a]~, (t u ...,t n )) e Rep' (if) 



degp„ + i divides degdiv(a) + /Jtj degp^ 



Proposition [72] shows in particular that the group operation ®o K 011 R- e P^(Cif) 
defined in the last section is identical to the group operation + obtained from the 
group operation on Pic(if )/G[p„+i] restricted to the subset Rep? (Ok)- Hence, we 
are able to relate two group operations which were defined quite differently: ®o K 
is defined by pulling back the addition from G n /A, and + is defined by pulling back 
the addition from Pic(if )/G[p„+i]. 

Proof of Proposition \ 7. 2\ We first show that the left square commutes. For that, we 
compare the maps T -> G"/A Repf(0 K ) -> Rep f (K) -> Pic(if)/G[p n+ i] with 
T -> Pic (if) -> Pic(if)/G[p„+i]. Let the class of D = kpi be an element 

of T. Then it is mapped to (t±, . . . ,t n ) + A in G n /A and to an /-representation 
A = ([\O k ]~, ■ • . ,4)) € Rep^(O^) such that 



(*) ®° K (A) = *(m) + • • ■ , t' n ) + A = (t u . . . , t n ) + A. 

This in turn is mapped to the class of c\w(j^Ok) + SILi t'iPi m Pic(if )/G[p n +i]. 
Hence, we evaluated the class of D along the first composition of maps. 

Now D is rationally equivalent to YH=i *»Pi + (A 1 )- The finite part of this divisor 
is div(i0Rr). The valuation of this divisor at pi is ti + VpXl 1 ) for 1 < i < n, 
and (ti + v 9i (n))i + A = (t' l ) t + A by (*). But this means that [D] = [D - fj] = 
[div(a) -I- X^r=i t'iPi + ^P™+i] m Pic (if) for suitable t € G, whence the first square 
commutes. 

To see that the second square commutes, note that if [D] € Pic (if) with D = 
div(o) + Ym=i *»P*> t nen [D] maps to the ideal class of a in Pic(Ok)- Now the /- 
representation representing [D] +G[p n+ i] can be found by reducing (a, (ti, . . . , t n )), 
yielding the ideal part for some fi e £(a). But the resulting /-representation 

is mapped to the ideal class of in Pic(0if ), which is the same as the ideal class 
of a. Therefore, the second square also commutes. 

Finally, in case if is a function field, the equalities for the images of T in G™/A 
and Pic (if) in Rep' (if) follow from the fact that divisors representing elements 
of T and Pic (if ) must have degree zero. □ 
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It turns out that the group operations in Pic (if), respectively, Pic(A")/([p„+i]), 
can be described in a nice way using /-representations. This directly generalizes 
the arithmetic in (Rep? (Ok), ®o k ) as described in Proposition 16.91 Note that this 
is not related to the arithmetic in (Rep' (a), © a ) for a 7^ Ok- 

The following theorem describes how the group operations on Rep' (if) can be 
effectively computed. 

Theorem 7.3 (Infrastructure, Part III: Computing the group operation). Let A = 
([bU (h, . . . ,t n )),A' = ([b%, (t[, . . .,t' n )) G Rep' (if). 

(a) There exists a minimal £ G G such that Be :— B(bb' , (t\ +t[, . . . , t n +t' n ,£))\{0} 
is non-empty; if /i is a smallest element with respect to < in Be, we get B := 
([Hb'U,(t 1 +t' 1 + v Pl ( t i),...,t n +t' n + v Pn (fi))) G Rep' (if) andt>(A) + <Z>{Ai) = 

(b) There exists a minimal I G G such that Be := B(b , (— 1\, . . . , — t n) £)) \ {0} 
is non-empty; if /z is a smallest element with respect to < in Bg, we get C :— 

([^"V: Hi + "Pi(a0, ■■■,-tn + VpM)) G «^ = HQ- 

The main parts of this lemma were already shown in Lemma 16. 6[ namely that 
B and C are indeed /-representations. The claims $>(A) + $(A') = $(£?) and 
-$(A) = $(C) follows from the fact that div : Id(Oj^) -t Div(if) is a group 
homomorphism as well as from the definitions of $ and of the group operation on 
Pic (if), respectively, Pic(/f )/([p„+i]). 

Note that this "reduction" step, namely minimizing £, and then minimizing 
/1 with respect to < if necessary, is essentially the same what is used for arith- 
metic on hyperelliptic and superelliptic curves GPSQ2], and for Hefi' arithmetic 
in function fields with degp n +i = I HcB02 ; compare the discussion following the 
Reduction Lemma 16.61 This is not very surprising, since as we already mentioned, 
/-representations are another representation of divisors reduced along pn+i- 

We have seen that all infrastructures (Red(a)/^, d a ) in if, and their correspond- 
ing /-representations Rep' (a), can be combined to the set of all /-representations 
Rep' (if ), which parameterizes the (Arakelov) divisor class group Pic(if )/G[p„+i] 2 
Pic (if) using the bijection $. Moreover, we have seen how the group structure on 
Rep' (if) induced by the one on the (Arakelov) divisor class group can be computed 
in terms of /-representations only; this is essentially ideal multiplication followed by 
reduction, hence generalizing Shanks' giant steps. Using Corollary 15.31 and Propo- 
sition 15.41 we are able to compare /-representations. Therefore, we can represent 
the (Arakelov) divisor class group using /-representations and use them to perform 
effective arithmetic. 

8. Computations Using /-Representations 

Infrastructures not only represent an interesting algebraic concept, but /-repre- 
sentations lend themselves very well to computation and lead to efficient algorithms 
for computing fundamental units in global function fields. They require only limited 
storage and allow for efficient giant step computation, as documented in this section. 
Further evidence supporting the suitability of /-representations for computation is 
provided with three non-trivial numerical examples. Proofs of these results and a 
more detailed discussion of implementation go beyond the scope of this work and 
are the subject of a forth-coming paper. 
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We begin with a result on the size of /-representations, which in the function held 
case is identical to a result by Hefi in |Hefi021 Section 8]. In the number held case, 
it generalizes a result by Schoof |Sch08[ Proposition 7.2 (i)] to /-representations; 
his result is slightly stronger than the well-known inequality 1 < Norm^/Q(a -1 ) < 
\/|A| for a G Red(if ), where A is the discriminant of K. 

Remember that degdiv(a) = — logNorm^/q^a) if if is a number held, and 
degdiv(a) = — deg Norm#7jt(x) (<*) if if is a function held. 

Proposition 8.1. Let {[a]~,(ti)i) G Repf(if). Then div(a) > and U > for 

1 < i < n. If K is a function field, let g be its genus, and if K is a number field, 
let A be its discriminant and 2s its number of complex embeddings. Then 

-A \g+ (degp n+ i - 1) if K is a function field, 

< degdiv(a) + > tidegpi < < 1 

I ^ log | A| — s log -| if K is a number field. 

This shows that not only the norm of the integral ideal a -1 as well as the positive 
integers i< are bounded, but a linear combination of these values with positive 
coefficients is bounded. As shown by Paulus and Ruck [PR99j, this bound is sharp 
in the case of real quadratic function helds. 

Proof of Proposttion\FJi Let D = div(a) + Then B ( a ' (*!>•••' *™ °)) = 

contains fc and L(D — pn+i) = B(a, (ii, . . . , t„, — e)) = for every e > 0, 
£ G G. The inclusion shows D > as 1 G fc, whence div(a) > and tj > 0, 
1 < i < n. 

If if is a function held of genus g, by Riemann's Inequality 

n 

= dim fe L(D - p n+1 ) >l-g + degdiv(o) + degp { - degp„ + i; 

i=l 

therefore degdiv(a) + J27=i *« de SPi < 9~ 1 + d.egpn+1- 

If if is a number held with 2s complex embeddings and discriminant A, we have 
B(a, (ti, . . . , i„, -e)) ^ {0} for e > if 



e -edc gP „ + 1 -Q efl de gPl > (l) s ^ Normi , /Q(a) 
i=l 

by Minkowski's Lattice Point Theorem |Neu99l Theorem 5.3]. Hence, we must have 

Solving for deg div(o) + Yl7=i ^ ^eg Pi an< ^ considering that this is true for all e > 
yields the claim. □ 

To represent a reduced ideal, one can use a Hermite normal form representation 
with respect to a fixed integral basis as described in [Coh96| . This allows to repre- 
sent a fractional ideal with a unique binary representation. In the number held case, 
C. Thiel showed in [Thi951 Corollary 3.7] that one can represent a reduced ideal in 
a number field of degree d and discriminant A with at most (d 2 + 1) log 2 y // ]A\ bits. 
For function helds, we obtain: 

Proposition 8.2. Let K be a function field. Assume that elements of k can be 
represented by O(logg) bits. Then f -representations can be represented by 0(d 2 {g+ 
degp„+i - 1) \ogq) bits. □ 
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We will provide a more precise statement as well as a proof in a subsequent 
paper. 

Using a technique similar to Hefi' algorithm for computing Riemann-Roch spaces 
HcB02], we implemented /-representations for function fields. We made the as- 
sumption that deg p n +i = 1 to ensure that we can quickly compare /-representations 
by their binary representation. We added to our implementation an algorithm by 
Buchmann and A. Schmidt BSQ5] to compute the relation lattice A of the elements 
(«7i, . . . ,g n ) in Rep^(0A'), where = (&° K )~ 1 (e i ) if e; 6 U 1 is the z-th standard 
unit vector; note that this is a system of generators of Rep? (Ok )• This lattice equals 
the unit lattice as defined in Section [5j Since the Buchmann-Schmidt algorithm 
is of baby-step giant-step type and requires 0(n-\/|Rep^ (Or)\) group operations 
and 0(yJ\Repf(G K )\) storage of group elements, we therefore implemented an al- 
gorithm which computes the unit lattice of a global function field with at least 
one infinite place of degree one in 0(^/R) infrastructure operations using 0(V~R) 
storage (assuming [K : k(x)} = 0(1)). This can be seen as a generalization of 
Shanks' baby-step giant-step algorithm for computing the unit lattice for a real 
quadratic number field [Sha72] . or of Buchmann's baby-step giant step algorithm 
for computing the unit lattice of an arbitrary number field |Buc87b] . 

Our algorithm was implemented in C-l — h using NTL. It currently relies on 
MAGMA for computation of integral bases and information on the infinite places. 
We present three numerical examples that were obtained using our algorithm. We 
compared the output of our program with MAGMA's built-in function Regulator ( ) ; 
this function apparently uses HeB' subexponential algorithm for computation of the 
divisor class group Hcfi99]. We applied both our algorithm and MAGMA to the 
function fields of many curves. As an example, we want to present three curves: 

(1) y 3 = ( x + ^ y 2 _ ( 1 23 2 ;3 _ 423,2,2 + g48a , _ y y + ( 13x 2 + 3U3x + 11 ) a ,2 Qver 

Fioog; the function field has genus 3, two infinite places of degree 1 (so unit 
rank 1) and regulator 496 804 315; 

(2) y 8 = 81 (x + 2) 2 (x - 3) 3 (a; + l) 3 over F1009; the function field has genus 3, eight 
infinite places of degree 1 (so unit rank 7) and regulator 62 322 365; 

(3) (2 + a)(y 4 - y 2 ) + ^(y 3 + y 2 ) + j^^y = 12^=2 over F 3l2 = F 31 [a] with 
a 2 + 29a + 3 = 0; the function field has genus 3, two infinite places of degree 1, 
one infinite place of degree 2 (so unit rank 2), and regulator 896 118 755. 

These fields show that our implementation is not restricted to curves of special 
form, small unit rank, or prime fields. We also do not require all infinite places to 
have degree one. 

For the first field, MAGMA ran 1.4 to 2.0 hours (in ten different runs) and 
required between 99 MB and 104 MB of memory to compute the regulator. For 
the second field, MAGMA's running time varied dramatically between 3.4 hours 
and 8.9 days in seven runs, with an average of 4.8 days; the memory consumption 
ranged between 119 MB and 127 MB, where usually the memory usage was around 
120 MB, and only spiked up to 127 MB for the two runs which needed only a 
few hours. For the last field, MAGMA worked 2.4 minutes and required 110 MB 
of memory (with minimal variations in twelve runs). On the same machine, our 
implementation was able to compute the regulator in 13.6 minutes for the first field 
using 46 MB of memory, in 9.2 hours for the second field using 97 MB of memory, 
and in 11.6 hours for the last field using 313 MB of memory. 
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Note that our implementation is not very optimized and in a very general form. 
Nonetheless, this demonstrates that the techniques developed in this paper can be 
used for computation, and even outperform the built-in functions of MAGMA in 
certain cases. The latter is not surprising, since the algorithm MAGMA apparently 
uses is designed for small constant fields and characteristics, and for such function 
fields is in general much faster than our implementation. 

9. Conclusion 

We presented a concise interpretation of the infrastructure in a global field, by 
considering a finite set X a , consisting of equivalence classes of reduced ideals in the 
ideal class of a, and a distance map d a : X a — > G n /A, where A is essentially 0* K /k* . 
We have shown how one can find a reduction map red" : G n /A — >• X a by providing 
a set of /-representations. This generalizes one-dimensional infrastructures, and in 
particular Shanks' original approach and its interpretation by Lenstra |Len82j . 

Considering all infrastructures (X a , d a , red"), a € IcI(Ok) in if at the same time, 
we saw that the set of all /-representations, Rep^(if), can be identified with the 
(Arakelov) divisor class group Pic(if )/G[p, i+ i] of if. This generalizes the result by 
Paulus and Ruck [PR99] for hyperelliptic function fields, and is compatible with 
the arithmetic in Pic (if) described by Hefi jHefi02j . Moreover, our embedding of 
Rep^(if) into Pic (if) in the number field case is similar to Schoof's embedding of 
Red(if) into the Arakelov divisor class group Pic (if). 

An important open question is how baby steps can be interpreted in our ap- 
proach. One can interpret them as Buchmann in |Buc87b] as a tool which com- 
putes all reduced elements whose distance lies in a given parallelepiped, as this 
allows baby-step giant-step algorithms for arbitrary infrastructures. Unfortunately, 
no efficient method for computing these "baby steps" is known for number fields. 
Another open question is whether one can find an efficient unique representation 
of elements in Pic (if) in case no infinite place of degree one is available. Having 
a unique representation of an element in Red(if)/^ is required to do fast look-ups 
as in algorithms of baby-step giant-step type. 
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